(energetic music) >> Announcer: From our studios in the heart of Silicon Valley; Palo Alto, California. This is a CUBE Conversation. >> Hi everyone, welcome to this special CUBE Power Panel recorded here in Palo Alto, California. We've got remote guests from around the Internet. We have Evan Anderson, Mark Anderson, Phil Lohaus. Thanks for comin' on. Evan is with INVNT/IP, an organization with companies and individuals that fight nation-sponsored intellectual property theft and also author of the huge report Theft Nation Almost a 100 pages of really comprehensive analysis on it. Mark Anderson with the Future in Review CEO of Pattern, Computer and Strategic New Service Chairman of Future in Review Conference, and author of the book "The Pattern Future: "Find the World's Greatest Secrets "and Predicting the Future Using Discovery Patterns" and Phil Lohaus, American Enterprise Institute. Former intelligent analyst, researcher at the American Enterprise Institute, studying competitive strategy and emerging technologies. Guys, thanks for coming on. This topic is, is industrial IoT the new battleground? Mark, you cover the Future Review. Security is the battleground. It's not just a silo'd space. It's horizontally scalable across every single touch point of the Internet, individuals, national security, companies, global, what's your perspective on this new battleground? >> Well, thank you, I took some time and watched your last presentation on this, which I thought was excellent. And maybe I'll try to pick up from there. There's a lot of discussion there about the technical aspects of IoT, or IIoT, and some of the weaknesses, you know firewalls failing, assuming that someone's in your network. But I think that there's a deeper aspect to this. And the problem I think, John, is that yes, they are in your network already, but the deeper problem here is, who is it? Is it an individual? Is it a state? And whoever it is, I'm going to put something out that I think is going to be worth talking more deeply about, and that is, if people who can do the most damage are already in there, and are ready to do it, the question isn't "Can they?" It's "Why have they not?" And so literally, I think if you ask world leaders today, are they in the electric grid? Yes. Is Russia in ours, are we in theirs? Yes. If you said, is China in our most important areas of enterprise? Absolutely. Is Iran in our banks and so forth? They are. And you actually see states of war going on, that are nuisances, but are not what you might call Cybergeddon. And I really believe that the world leaders are truly afraid. Perhaps more afraid of that than of nuclear war. So the amount of death and destruction that could happen if everybody cut loose at the same time, is so horrifying, my guess is that there's a human restraint involved in this, but that technically, it's already game over. >> Phil, Cybergeddon, I love that term, because that's a part of our theme here, is apocalypse now or later? Industrial IoT, or IIoT, or the Internet, all these touch points are creating a surface area that for penetration's purposes, any packet can get in. Nation-states, malware, you name it. It's all problem. But this is the new war battleground. This is now digital Cybergeddon. Forget the wall on the southern border, physical wall. We're talking about a digital wall. We have major threats going on to our society in the United States, and global. This is new, rules of engagement, or no rules of engagement on how to compete in a digital war. This is something that the government's supposed to protect us for. I mean, if someone drops troops in California, physical people, the government's supposed to stop that. But if it's a digital war, it's packets. And the companies are responsible for all this. This doesn't make any sense to me. Break it down, what's the problem? And how do we solve this? >> Sure, well the problem is is that we're actually facing different kinds of threats than we were typically used to facing in the past. So in the past when we go to war, we may have a problem with a foreign country, or a conflict is coming up. We tend to, and by we I mean the United States, we tend to think of these things as we're going to send troops in, or we're going to actually have a physical fight, or we're going to have some other kind of decisive culmination of events, end of a conflict. What we're dealing with now is very different. And it's actually something that isn't entirely new. But the adversaries that we're facing now, so let's say China, Russia, and Iran, just to kind of throw them into some buckets, they think about war very differently. They think about the information space more broadly, and partially because they've been so used to having to kind of be catching up to America in terms of technology, they found other ways to compete with America, and ways that we really haven't been focusing on. And that really, I would argue, extends most prominently to the information space. And by the information space I'm speaking very broadly. I'm talking about, not just information in terms of social media, and emails, and things like that, but also things like what we're talking about today, like IIoT. And these are new threat landscapes, and ones where our competitors have a integrated way of approaching the conflict, one in which the state and private sectors kind of are molded or fused or at least are compelled to work together and we have a very different space here in the United States. And I'm happy to unpack that as we talk about that today, but what we're now facing, is not just about technical capabilities, it's about differences in governing systems, differences in governing paradigms. And so it's much bigger than just talking about the technical specifics. >> Evan, I want you to weigh in on this because one of the things that I feel strongly about, and this is pretty obvious from the commentary, and experts I talk to is, the United States has always been good at defending itself physically, you know war, in being places. Digitally, we've been really good at offense, but terrible on defense, has been the metaphor. I spoke with former four-star General Keith Alexander, who ran the NSA and was first commander of the cyber command, who is now the CEO of IronNet. He and I were talking on-camera and privately and he's saying, "Look it. "we suck at defense digitally. "We're great at offense, we can take someone out "on the offense." But we're talking about IoT, about monitoring. These are technical challenges. This is network nerds, and software engineers have to solve this problem with the prism of defense. This is a new paradigm. This is what we're kind of getting to. And Mark, you kind of addressed it. But this is the challenge. IoT is going to create more points that we have to defend that we suck now at defending, how are we going to get better. This is the paradox. >> Yeah, I think that's certainly accurate. And one of our problems here is that as a society we've always been open. And that was how the Internet was born. And so we have a real paradigm shift now from a world in which the U.S. was leading an open world, that was using the Internet for, I mean there have been problems with security since day one, but originally the Internet was an information-sharing exercise. And we reached a point in human history now where there are enough malicious hackers that have the capabilities we didn't want them to have, but we need to change that outlook. So, looking at things like Industrial IoT, what you're seeing is not so much that this is the battlefield in specific, it's that everything like it is now the battlefield. So in my work specifically we're focused more on economic problems. Economic conflicts and strategies. And if you look at the doctrines that have come out of our adversaries in the last decade, or really 20 years, they very much did what Phil said, and they looked at our weaknesses, and one of those biggest weaknesses that we've always had is that an open society is also unable necessarily to completely defend itself from those who would seek to exploit that openness. And so we have to figure out as a society, and I believe we are. We're running a fine line, we're negotiating this tightrope right now that involves defending the values and the foundational critical aspects of our society that require openness, while also making sure that all the doors aren't open for adversaries. And so we'll continue to deal with that as a society. Everything is now a battlefield and a much grayer area, and IoT certainly isn't helping. And that's why we have to work so hard on it. >> I want to talk about the economic piece on the next talk track of rounds. Theft, and intellectual property that you cover deeply. But Mark and Phil, this notion of Cybergeddon meets the fact that we have to be more defensive. Again, principles of openness are out there. I mean, we have open source. There is a potential path here. Open source software has been, I think, depending on who you talk to, fourth generation, or fifth, depending on how old you are, but it's now mainstream enough now. Are we ever going to get to a formula where we can actually be strong in defense as well as just offense with respect to protecting digitally? >> Phil, do you want that? >> Well, yeah, I would just say that I'm glad to hear that General Alexander is confident about our offensive capabilities. But one of the... To NSA that is conducting these offensive capabilities. When we talk about Russia, Iran, China, or even a smaller group, like let's say an extremist group or something like that, there's an integration between command and control, that we simply don't have here in the States. For example, the Panasonic and Sony examples always come to mind, as ones where there are attacks that can happen against American companies that then have larger implications that go beyond just those companies. So and this may not be a case where the NSA is even tracking the threat. There's been some legislation that's come out, rather controversial legislation about so-called hacking back initiatives and things like that. But I think everybody knows that this is already kind of happening. The real question is going to be, how does the public sector, and how does the private sector work together to create this environment where they're working in synergy, rather than at cross purposes? >> Yeah, and this brings up, I've heard this before. I've heard people talk about the fact that open source nation states can actually empower by releasing tools in open source via the Dark Web or other vehicles, to not actually have, quote, their finger prints, on any attacks. This seems to be a tactic. >> Or go through criminals, right? Use proxies, things like that. It's getting even more complicated and Alexander's talked about that as well, right? He's talked about the convergence of crime and nation-state actions. So whereas with nation-states it's already hard-attributed enough, if that's being outsourced to either whether it's patriotic hackers or criminal groups, it's even more difficult. >> I think you know, Keith is a good friend of all of ours, obviously, good guy. His point is a good one. I'd like to take it a little more extreme state and say, defense is worth doing and probably hopeless. (everyone laughs) So, as they always say, all it takes is one failure. So, we always talk about defense, but really, he's right. Offense is easy. You want to go after somebody? We can get them. But if you want to play defense against a trillion potential points of failure, there's no chance. One way to say this is, if we ignore individuals for a moment and just look at nation-states, it's pretty clear that any nation-state of size, that wants to get into a certain network, will get in. And then the question will be, Well, once they're in, can they actually do damage? And the answer is probably yeah, they probably can. Well, why don't they? Why don't they do more damage? We're kind of back to the original premise here, that there's some restraint going on. And I suspect that Keith's absolutely right because in general, they don't want to get attacked. They don't want to have to come back at them what they're about to do to your banks or your grid, and we could do that. We all could do that. So my guess is, there's a little bit of failure on our part to have deep discussions about how great our defenses either are, or are not, when frankly the idea of defense is a good idea, worthwhile idea, but not really achievable. >> Yeah, that's a great point. That comes up a lot where it's like, people don't want retaliation, so it's a big, critical event that happens, that's noticeable as a counterstrike or equivalent. But there's been discussion of the, I call it "the slow bleed" where they push the line of where that is, like slowly infiltrate, and just cause disruption and inconvenience, as a tactic. This has become something we're seeing a lot of. Whether it's misinformation campaigns on fake news, to just disrupting operations slowly over time, and just kind of, 1,000 paper cuts, if you will. Your guys' thoughts on that? Is that something you guys see out there that's happening? >> Well, you saw Iran go after our banks. And we were pushing Iran pretty hard on the sanctions. Everybody knows they did that. It wasn't very much fun for anybody. But what they didn't do is take down the entire banking system. Not sure they could, but they didn't. >> Yeah, I would just add there that you see this on multiple fronts. You see this is by design. I'm sure that Mark is talking about this in his report but... they talk about this incremental approach that over time, this is part of the problem, right? Is that we have a very kind of black or white conception of warfare in this country. And a lot of times, even companies are going to think, well you know, we're at peace, so why would I do something that may actually be construed as something that's warlike or offensive or things like that? But in reality, even though we aren't technically at war, all of these other actors view this as a real conflict. And so we have to get creative about how we think about this within the paradigm that we have and the legal strictures that we have here in this country. >> Well there's no doubt at least in my non-expert military opinion, but as someone who is a techie, been on the Internet from day one, all my life, and all those tools, you guys as well, I personally think we're at war. 100%, there's no debate on that. And I think that we have to get better policy around this and understand it better. Because it's happening. And one of the obvious areas that we see in the news everyday, it's Huawei and intellectual property theft. This is an economic impact. I mean just look at what's happening in Brexit in the U.K. If that was essentially manipulated, that's the ultimate smart bomb, is to just destroy their financial system, which ended up happening through that misinformation. So there are economic realizations here, Evan,that not only come from the misinformation campaigns and other attacks, but there's real value with intellectual property. This is the report you put out. Your thoughts? >> There's very much an active conflict going on in the economic sphere, and that's certainly an excellent point. I think one of the most important things that most of the world doesn't quite understand yet, but our adversaries certainly understand, is that wars are fought for usually, just a few reasons. And there's a lot of different justification that goes on. But often it's for economic benefit. And if you look at human history, and you look at modern history, a lot of wars are fought for some form of economic benefit, often in the form of territory, et cetera, but in the modern age, information can directly and very quite obviously translate into economic benefit. And so when you're bleeding information, you're really bleeding money. And when I say information, again, it's a broad word, but intellectual property, which our definition, here at INVNT/IP is quite broad too, is incredibly valuable. And so if you have an adversary that's consistently removing intellectual property from what I would call our information ecosystem, and our business ecosystem, we're losing a lot of economic value there, and that's what wars are fought over. And so to pretend that this conflict is inactive, and to pretend that the underlying economy and economic strength that is bolstered or created by intellectual property isn't critical would be silly. And so I think we need to look at those kinds of dynamics and the kind of Gerasimov Doctrine, and the essential doctrine of unrestricted warfare that came out of the People's Republic of China are focused on avoiding kinetic conflict while succeeding at the kinds of conflict that are more preferable, particularly in an asymmetric environment. So that's what we're dealing with. >> Mark and Phil, people waking up to this reality are certainly. People in the know are that I talk to, but generally speaking across the board, is this a woke moment for tech? This Armageddon now or later? >> Woke moment for politicians not for tech, I think. I'm sure Phil would agree with this, but the old guard, go back to when Keith was running the NSA. But at that time, there was a very clear distinction between military and economic security. And so when you said security, that meant military. And now all the rules have changed. All the ways CFIUS works in the United States have changed. The legislation is changing, and now if you want to talk about security, most major nations equate economic security with national security. And that wasn't true 10 years ago. >> That's a great point. That's really profound, I totally agree. Phil. >> I think you're seeing a change in realization in Washington about this. I mean, if you look at the cybersecurity strategy of 2018, it specifically says that we're going to be moving from a posture of active defense to one of defending forward. And we can get into the discussion about what those words mean, but the way I usually boil down is it means, going from defending, but maybe a little bit forward, to actually going out and making sure that our interests are protected. And the reason why that's important, and we're talking about offense versus defense here, obviously the reason why, from what Mark was saying, if they're already in the networks, and they haven't actually done anything, it's because they're afraid of what that offensive response could be. So it's important that we selectively demonstrate what costs we could impose on different actors for different kinds of actions, especially knowing that they're already operating inside of our network. >> That's a great point. I mean, I think that's again another profound statement because it's almost like the pin in the grenade. Once they pull it, the damage is done. Again, back to our theme, Armageddon, now or later? What's the answer to this, guys? Is it the push to policy conversation and the potential consequences higher? Get that narrative going. Is it more technical protection in the networks? What's some of the things that people are talking about and thinking about around this? >> And it's really all of the above. So the tough part about this for any society and for our society is that it's expensive to live in a world with this much insecurity. And so when these kind of low-level conflicts are going on, it costs money and it costs resources. And companies had to deal with that. They spent a long time trying to dodge security costs, and now particularly with the advent of new law like the GDPR in Europe, it's becoming untenable not to spend that defensive money, even as a company, right? But we also are looking at a deepening to change policy. And I think there's been a lot of progress made. Mark mentioned the CFIUS reforms. There are a lot of different essentially games of Whack-A-Mole being played all around the world right now figuring out how to chase these security problems that we let go too long, but there's many, many, many fronts that we need to-- >> Whack-A-Mole's a great example. The visualization of that is just horrendous. You know, not the ideal scenario. But I got to get your point on this, because one of the things that comes up all the time in our conversations in theCUBE is, the government's job is to protect our securities. So again, if someone came in, and invaded my town in Palo Alto, it's not my responsibility to fight for the town. Maybe defend my own house. But if I'm a company being attacked by Russia, or China or Iran, isn't it the government's responsibility to protect me as a citizen and the company doing business there? So again, this is kind of the confusion that people have. If somebody's going to defend their hack, I certainly got to put security practices in place. This is new ground for the government, digitally speaking. >> When we started this INVNT/IP project, it was about seven years ago. And I was told by a very smart guy in D.C. that our greatest challenge was going to be American corporations, global corporations. And he was absolutely right. Literally in this fight to protect intellectual property, and to protect the welfare even of corporations, our greatest enemies so far have been American corporations. And they lobby hard for China, while China is busy stealing from them, and stealing from their company, and stealing from their country. All that stuff's going on, on a daily basis and they're in D.C. lobbying in favor of China. Don't do anything to make them mad. >> They're getting their pockets picked at the same time. And they're trying to do business in China. They're getting their pockets picked. That's what you're saying. >> They're going for the quarterly earnings report and that's all. >> So the problem is-- >> Yeah so-- >> The companies themselves are kind of self-inflicted wounds here for them. >> Yes. >> Yeah, just to add to that, on this note, there have been some... Business to settle interest. And this is something you're seeing a little bit more of. There's been legislation through CFIUS and things like that. There have been reforms that discourage the flow of Chinese money in the Silicon Valley. And there's actually a measurable difference in that. Because people just don't want to deal with the paperwork. They don't want to deal with the reputational risk, et cetera, et cetera. And this is really going to be the key challenge, is having policy makers not only that are interested in addressing this issue, because not all of them are even convinced it's a problem, if you can believe it or not, but having them interested and then having them understand the issue in a way that the legislation can actually be helpful and not get in the way of things that we value, such as innovation and entrepreneurialism and things like that. So it's going to take sophisticated policy-making and providing incentives so that companies actually want to participate and helping to make America safer. >> You're so right about the politicians. Capitol Hill's really not educated. I mean I tell my kids, and they ask the same questions, just look at Mark Zuckerberg and Sundar Pichai present to the government. They don't even know what an Android phone versus an iPhone is, nevermind what the Internet, and how this global economy works. This has become a makeup problem of the personnel in Capitol Hill. You guys see any movement? I'm seeing some change with a new guard, a new generation of younger people coming in. Certainly from the military, that's an easy when you see people get this. But a new generation of young millennials who are saying, "Hey, why are we doing this the old way?" and actually becoming more informed. Not being the lawyer at law-making. It's actually more technically savvy. Is there any movement, any bright hope there? >> I think there's a little hope in the sense that at a time when Congress has trouble keeping the lights on, they seem to have bipartisan agreement on this set of issues that we're talking about. So, that's hopeful. You know, we've seen a number of strongly bipartisan issues supported in Congress, with the Senate, with the House, all agreeing that this is an issue for us all, that they need to protect the country. They need to protect IP. They need to extend the definition of security. There's no argument there. And that's a very strange thing in today's D.C. to have no argument between the parties. There's no error between the GOP and the Democrats as far as I can tell. They seem to all agree on this, and so it is hopeful. >> Freedom has its costs and I think this is a new era of modern freedom and warfare and protection and all these dynamics are changing, just like Cloud 2.0 is changing application developers. Guys, this is a really important topic. Thank you so much for coming on, appreciate it. Love to do a follow-up on this again with you guys. Thanks for sharing your insight. Some great, profound statements there, appreciate it. Thank you very much. >> Thank you. >> Thanks for having us. >> It's been a CUBE Power Panel here from Palo Alto, California with Evan Anderson, Mark Anderson, and Phil Lohaus. Thank you guys for coming on. Power Panel: The Next Battleground in Industrial IoT. Security is a big part of it. Thanks for watching, this has been theCUBE. (energetic music)